The Federal Government launched the Federal Risk and Authorization Management Program (FedRAMP) in June 2012 to account for the unique security requirements surrounding cloud computing. FedRAMP consists of a subset of NIST Special Publication (SP) 800-53 security controls targeted towards cloud provider and customer security requirements.
Based on NIST guidance, FedRAMP control baseline, industry best practices, and the Internal Revenue Service (IRS) Publication 1075, this guidance document provides agencies guidance for securing FTI in a cloud environment. These requirements are subject to change, based on updated standards or guidance. Agencies and their cloud providers should also review the requirements of FedRAMP and ensure overall compliance with these guidelines.
As defined by the National Institute of Standards and Technology (NIST), “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable, computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and consists of five essential characteristics, three service models and four deployment models.”
As agencies look to reduce costs and improve reliability of business operations, cloud computing offers an alternative to traditional data center models. Cloud solutions reduce direct hardware expenditures and may eliminate redundant operations and consolidate resources.
However, while cloud computing offers many potential benefits, it is not without risk. The primary security concerns with cloud computing are:
- Data is not stored in an agency-managed data center,
- The agency must rely on the provider’s security controls for protection,
- Data is not transferred securely between the Cloud provider and service consumer,
- Interfaces to access Federal Tax Information (FTI) in a cloud environment including authentication and authorization controls may not be secured per customer requirements and
- Data from multiple customers may be potentially commingled in the cloud environment.
Monitoring and addressing security issues that arise with FTI in a cloud environment remain in the purview of the agency. Limiting access to authorized individuals becomes a much greater challenge with the increased availability of data in the cloud, and agencies may have greater difficulties to identify FTI when segregated or commingled in the cloud environment. Agencies that utilize a public cloud model should have increased oversight and governance over the security controls implemented by their cloud provider.
Cloud Computing Definition
Five essential characteristics define a cloud computing environment and differentiate it from a traditional computing environment:
- On Demand Self Service – customer can provision computing resources without requiring interaction with the service provider.
- Broad Network Access – computing resources are provided over the network and accessed through various platforms.
- Resource Pooling – computing resources are pooled to serve multiple customers with resources dynamically assigned according to customer need.
- Rapid Elasticity – resources can be rapidly provisioned to scale up or down based on real-time need.
- Measured Service – resource usage can be monitored and controlled using a metering capability.
Service and Deployment Models
An agency’s cloud implementation is a combination of a service model and a deployment model.
The resource stack provided as part of the cloud solution and the responsibilities which fall between the agency and the cloud provider define service models. NIST SP 800-145 outlines the possible service models that may be employed during a cloud implementation.
- Software as a Service (SaaS). The capability gives the customer use of the provider’s applications running on the provider’s cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. The SaaS model provides the highest level of abstraction in which the provider is managing the facilities, the interaction between software and hardware and the software itself. The provider is responsible for the highest amount of security and data protection under this model, and the customer will negotiate into the service contract with the provider.
- Platform as a Service (PaaS). The capability provides the customer the ability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider. PaaS adds a layer of integration with application development frameworks, middleware capabilities that allow developers to build applications on the platform with programming languages and tools supported by the stack. The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Security is a shared responsibility with the provider responsible for the underlying platform infrastructure, and the customer is responsible for securing the applications developed on the platform.
- Infrastructure as a Service (IaaS). The capability provides the customer provision processing, storage, networks, and other fundamental computing resources where the customer is able to deploy and run arbitrary software, which can include operating systems and applications. The computing infrastructure is typically deployed as a virtual environment. The customer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). The customer is responsible for the highest amount of security and data protection under this model.
Organizations have several choices for deploying a cloud computing model, as defined by NIST in SP 800-145:
- Private cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party and may exist on premise or off premise. The private cloud model is typically considered the lowest risk out of the different deployment models because the organization retains the most control over the deployment of their data, and computing resources can be segregated or dedicated to a specific organization or business unit. Ownership, operations and maintenance of the facilities, computer hardware and software may fall under the responsibilities of an organization directly associated with the customer (e.g. state government-wide, agency specific). However, some commercial cloud providers may also offer a private cloud service.
- Community cloud. Several organizations share the cloud infrastructure and support a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third-party and may exist on premise or off premise. A community cloud may contain multiple customers that share a similar purpose (e.g. a cloud environment may be established to serve only multiple Federal government customers). The existence of multiple customer data sets may make it difficult to prevent commingling of data. Ownership, operations and maintenance of the facilities, computer hardware and software may fall with either the community or a cloud provider.
- Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. The public cloud model is typically considered the highest risk due to its wide-scale accessibility and limited segregation of services. Customer data is comingled and difficult to identify for auditing purposes. Ownership, operations and maintenance of the facilities, computer hardware and software most often falls with the cloud provider.
- Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). The evaluation of risk at the hybrid cloud model is unique to each deployment.
The following table summarizes the four deployment models, and the relationship of system management, ownership and location for each model.
|System Management||System Owners||System Location|
|Private||Agency or Provider||Agency or Provider||Agency or Provider Site|
|Community||Agency or Provider||Agency or Provider||Agency or Provider Site|
|Hybrid||Agency or Provider||Agency or Provider||Agency or Provider Site|
The risk to data varies in each of the four deployment models, with of private cloud typically being the lowest risk model, and public cloud being the highest risk model. Depending on the deployment model, compensating controls can be accepted in place of the mandatory requirements provided those compensating controls must provide the same level of protection as mandatory controls for safeguarding FTI.
The service and deployment model used in a cloud computing environment will determine the responsibility for security controls implementation between the agency and the cloud provider for the protection of FTI that is stored or processed cloud environment. The delineation of security control responsibility is heavily dependent on the service and deployment models of the solution the agency is adopting. For example, if the solution is a SaaS e-mail solution, the agency may be responsible for a small subset of security control responsibilities including Access Controls. If the agency is deploying their own applications to a PaaS or IaaS solution, they will have greater responsibility for securing the application layer, and potentially the platform and middleware; and may have responsibilities in almost all of the Publication 1075 (NIST 800-53) control families with the exception of possibly the personnel and physical security requirements. Figure 1 is a notional illustration of the differences in scope between the cloud consumer (agency) and cloud provider for each of the service models discussed above.
Figure 1. Security Control Responsibility
Figure 1 is a notional illustration of the differences in scope between the cloud consumer (agency) and cloud provider for each of the service models discussed above.
Defining a Cloud within the context of the Office of Safeguards
The above definitions, largely created by NIST, define cloud computing for the industry at large. Due to the nature of relationships between IRS, partner agencies, consolidated data centers and third-party providers, there are certain circumstances to consider when determining whether FTI resides in a cloud environment:
Examples of Cloud Environments (non-comprehensive) where Safeguards would require a 45-day Notification and would subsequently assess the solution using the Safeguards Cloud Computing Safeguards Computer Security Evaluation Matrix (SCSEM) during an onsite review:
- Traditional Cloud Services: Instances where an agency has contracted with well-known cloud vendors for supporting/implementing FTI systems. Examples include, but are not limited to and are not endorsed by the Office of Safeguards.
- Google Docs/Email/Applications for Government
- MS365, MS Azure
- Data Storage Solutions: Instances where an agency uses third-party provided data storage and movement systems which meet cloud definition (multi-tenant, multiple facilities, etc.). Examples include, but are not limited to and are not endorsed by the Office of Safeguards.
Specific examples where Safeguards would not consider an agency solution to be a cloud environment requiring 45-day notification and use of the Cloud Computing SCSEM during an on-site review.
- Contracted Third-Party Services: Instances where an agency has contracted a specific business process which a third-party implements using their own technology. Examples include (but not limited to):
- Collections Agencies
- Call Centers
- Field offices
- Hosted Solutions/Systems: Instances where an agency maintains the ownership and configuration of technologies located in a third-party managed facility.
- Agency only relies on the third-party for rack space, power, and cooling
- Agency maintains root-level controls of its technologies
- Contractor-managed Consolidated Data Centers: Instances where a state has outsourced the management of a consolidated data center (CDC) to a third-party contractor.
- Safeguards still must assess these data centers consistent with existing methodologies
Note: There may be contractor access issues to certain data types
- Safeguards still must assess these data centers consistent with existing methodologies
- Agency-managed Virtual Environments: Instances where an agency and/or state information technology (IT) division have provisioned a virtual environment which hosts FTI systems. The virtual environment is on-premises or at a CDC.
- Assessment can be performed using the appropriate virtualization SCSEM
- Agency may use the word “cloud” to describe their own systems but will not be assessed as such
Mandatory Requirements for FTI in a Cloud Environment
The following mandatory controls are applicable for all cloud service and deployment models. However, as stated earlier, depending on the deployment model, compensating controls can be accepted in place of the mandatory requirements provided those compensating controls afford the same level of protection as mandatory controls for safeguarding FTI. Potential compensating controls will be evaluated by the IRS Office of Safeguards as part of the cloud computing notification (see requirement below).
To utilize a cloud computing model to receive, transmit, store or process FTI, the agency must be in compliance with all Publication 1075 requirements. The following mandatory requirements are in effect for introducing FTI to a cloud environment:
Agencies maintaining FTI within cloud environments must engage services from FedRAMP certified vendors to complete the authorization framework resulting in an Authority to Operate.
Cloud solutions used to receive, process or store must undergo a complete assessment using the FedRAMP Authorization Framework from an authorized third-party assessment organization (3PAO). The assessment must result in an Authority to Operate granted by the FedRAMP organization. Only FedRAMP-authorized solutions may receive, process, store or transmit FTI. The discovery of FTI in a non-FedRAMP cloud during an onsite Safeguards review will result in a Critical finding.
Agencies must leverage vendors and services where (i) all FTI physically resides in systems located within the United States; and (ii) all access and support of such data is performed from the United States.
Identification of requirement that FTI may not be accessed by contractors located “offshore”, outside of the United States or its territories. All physical locations where FTI is stored, transmitted, processed and/or received must remain within the United States. This includes all primary and secondary data centers and any backup facilities. Additionally, cloud environments (and any components, including, but not limited to, storage, virtualization, operating systems and networking) may not be accessed by vendor administrators from networks outside the United States. Further, FTI may not be received, stored, processed or disposed via information technology systems located off-shore. The discovery of offshore storage and/or access to FTI during an onsite Safeguards review will result in a Critical finding.
Agencies and their cloud providers must provide a complete listing of all data centers within the cloud environment where FTI will be received, processed, transmitted or stored.
In addition to certifying all data centers, environments and equipment reside onshore, the agency and provider must disclose all physical locations where FTI is received, processed, stored and maintained. Safeguards cannot approve the implementation of cloud solutions without a full understanding of the physical locations where FTI is processed, in addition to understanding the logical protections the solution provides.
The agency must notify the IRS Office of Safeguards at least 45 days prior to transmitting FTI into a cloud environment.
To utilize a cloud environment that receives, processes, stores or transmits FTI, the agency must meet the following mandatory notification requirement:
- The agency must submit a Cloud Computing Notification (see Publication 1075 Section 9.4.1, Cloud Computing
Environments) to the IRS Office of Safeguards at least 45 days prior to transmitting FTI into a cloud environment.
The IRS strongly recommends that any agency planning on using a cloud computing model to receive, process, store and/or transmit FTI, contact the Office of Safeguards at SafeguardReports@irs.gov to schedule a conference call to discuss the details of the planned cloud computing implementation.
Software, data and services that receive, transmit, process or store FTI must be isolated within the cloud environment so that other cloud customers sharing physical or virtual space cannot access other customer data or applications.
One of the most common compliance issues with FTI is data location. Use of an agency-owned computing center allows the agency to structure its computing environment and to know in detail where FTI is stored and what safeguards are used to protect the data.
In contrast, a characteristic of many cloud computing services is detailed information about the location of an organization’s data is unavailable or not disclosed to the service subscriber. This makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met.
IRS Publication 1075, section 5.2, Commingling of FTI, recommends separating FTI from other information to the maximum extent possible. Organizing data in this manner will reduce the likelihood of unauthorized data access and disclosure. If complete separation is not possible, the agency must label FTI down to the data element level. Labeling must occur prior to introducing the data to the cloud and the data must be tracked accordingly through audit trails captured for operating systems, databases and applications that receive, store, process or transmit FTI.
IRS Publication 1075, section 9.3.3, Audit & Accountability, states audit logs must enable tracking activities taking place on the system. It also contains requirements for creating audit-related processes at both the application and system levels. Within the application, auditing must be enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. This auditing requirement also applies to data tables or databases embedded in or residing outside of the application. Included in that section, as well, is the requirement for agencies to “coordinate the access and protection of audit information” with its cloud providers.
The agency must establish security policies and procedures based on IRS Publication 1075 for how FTI is stored, handled and accessed inside the cloud through a legally binding contract or SLA with their third-party cloud provider.
While the agency may not have direct control over FTI at all times, they ultimately maintain accountability while it is in the cloud, and the ownership rights over the data must be firmly established in the service contract to enable a basis for trust. The SLA is a mechanism to mitigate security risk that comes with the agency’s lack of visibility and control in a cloud environment. It is important that agencies establish SLAs with cloud providers that clearly identify Publication 1075 security control requirements and determine who has responsibility (provider, customer) for their implementation. At a minimum, SLAs with cloud providers must include:
- IRS Publication 1075, Exhibit 7 contract language;
- Identification of computer security requirements the cloud provider must meet per IRS Publication 1075, section 9, Computer System Security, which provides the security control requirements to include in agreements with third-party cloud providers;
- Identification of requirements for cloud provider personnel who have access to FTI. All cloud provider personnel with logical FTI access must have a justifiable need for that access and submit to a background investigation;
- Identification of requirements for incident response to ensure cloud providers follow the incident notification procedures required by IRS Publication 1075. In the event of an unauthorized disclosure or data breach, the cloud provider and agency must report incident information to the appropriate Agent-in-charge, TIGTA and the IRS Office of Safeguards within 24 hours according to Publication 1075, section 10, Reporting Improper Inspections or Disclosures;
- Agreement on the scope of the security boundary for the section of the cloud where FTI is accessible and systems with FTI reside. The agency must ensure that boundary details are included in the SLA between the two parties;
- Clearly state that agencies have the right to require changes to their section of the cloud environment and cloud providers will comply with IT policies and procedures provided by the agency;
- IRS Publication 1075, Exhibit 6, Contractor 45-day Notification Procedures contains a requirement for notifying the IRS prior to executing any agreement to disclose FTI to a contractor the cloud provider may utilize, or at least 45 days prior to the disclosure of FTI, to ensure appropriate contractual language is included and that contractors are held to safeguarding requirements and
- Identification of cloud provider employee awareness and training requirements for access to FTI and incident response. IRS Publication 1075, 6.2, Training Requirements states employees must be certified to understand the agency’s security policy and procedures for safeguarding IRS information prior to being granted access to FTI, and must maintain their authorization to access FTI through annual recertification.
FTI must be encrypted in transit within the cloud environment. All mechanisms used to encrypt FTI must be FIPS 140-2 compliant, and operate utilizing the FIPS 140-2 compliant module. This requirement must be included in the SLA.
IRS Publication 1075 requires encryption of FTI in transit in Section 126.96.36.199, Transmission Confidentiality and Integrity (SC-8). The agency must ensure that encryption requirements are included in contracts with third-party providers. The IRS does not advocate specific mechanisms to accomplish encryption as long as they are FIPS 140-2 compliant and configured securely. Additionally, agencies must retain control of the encryption keys used to encrypt and decrypt the FTI at all times and be able to provide information as to who has access to and knows information regarding the key passphrase.
FTI must be encrypted while at rest in the cloud using a NIST-validated, FIPS 140-2 compliant encryption module. Encryption protects the confidentiality and integrity of the data and provides a methodology for segmenting an agency’s data from others while stored. This requirement must be included in the SLA.
In a cloud environment, protection of data and data isolation are a primary concern. Encryption of data at rest provides the agency with assurance that FTI is being properly protected in the cloud. NIST’s SP 800-144 recommends, “Data must be secured while at rest, in transit and in use, and access to the data must be controlled.”
The IRS does not advocate specific mechanisms to accomplish encryption as long as they are FIPS 140-2 compliant and configured securely. Additionally, agencies must retain control of the encryption keys used to encrypt and decrypt the FTI at all times and be able to provide information as to who has access to and knows information regarding the key passphrase. If the agency is able to satisfy this requirement, effectively preventing logical access to the data from the cloud vendor, agencies may use cloud infrastructure for data types that have contractor-access restrictions.
Storage devices where FTI has resided must be securely sanitized and/or destroyed using methods acceptable by National Security Agency/Central Security Service (NSA/CSS). This requirement must be included in the SLA.
If a storage device fails, or in situations where the data is moved within or removed from a cloud environment, actions must be taken to ensure residual FTI is no longer accessible. The destruction or sanitization methods apply to both individual devices that have failed as well as in situations where the agency removes data from the cloud environment or relocates FTI to another environment.
The technique for clearing, purging and destroying media depends on the type of media being sanitized. Acceptable physical destruction methods would include disintegration, incineration, pulverizing, shredding, or melting. Repurposed media must be purged to ensure no residual FTI remains on the device.
As there are varied approaches towards secure sanitization based on provider specifications, cloud providers should consult their data storage provider to determine the best method to sanitize the asset. If the storage device will no longer be in service, the residual data must be purged using Secure Erase or through degaussing using a NSA/CSS approved degausser.
The cloud provider is required to notify the agency upon destroying or repurposing storage media. The agency must verify that FTI has been removed or destroyed and notify the IRS Office of Safeguards of the destruction of storage media in the agency’s annual Safeguard Security Report (SSR).
The agency must conduct an annual assessment of the security controls in place on all information systems used for receiving, processing, storing and transmitting FTI. The IRS Office of Safeguards will evaluate the risk assessment as part of the 45 Day notification requirement.
Agencies are required to conduct a risk assessment (or update an existing risk assessment, if one exists) when migrating FTI to a cloud environment. Subsequently, the risk assessment must be reviewed annually to account for changes to the environment. The implementation and an evaluation of the associated risks should be part of the risk assessment. The IRS Office of Safeguards will evaluate the risk assessment as part of the above notification requirement.
Cloud implementations which truly represent remote access from the internet must incorporate multi-factor authentication.
Remote access to the cloud where the access is available over the public internet requires multi-factor authentication. Multi-factor authentication requires at least two of the three criteria: 1) something a user knows (e.g., password); 2) something a user has (e.g., hardware cryptographic token) and 3) something a user is (e.g., using biometric information).
Customer defined security controls must be identified, documented and implemented. The customer defined security controls, as implemented, must comply with Publication 1075 requirements.
Cloud providers may designate selected controls as customer defined. For customer defined security controls, the agency must identify, document and implement the customer defined controls, in accordance with Publication 1075. Implementation of some controls may need to be done in partnership with the agency’s cloud provider, however the agency has primary responsibility for ensuring it is completed.
The agency’s capability to test the functionality and security control implementation of a subsystem within a cloud environment is more limited than the ability to perform testing within the agency’s own infrastructure. However, other mechanisms such as third-party assessments may be used to establish a level of trust with the cloud provider.
Note: IRS Office of Safeguards will test agency-managed security controls during onsite reviews using the appropriate SCSEM for applications, operating systems, database management systems, etc. This determination will be made based on the cloud service model (i.e., PaaS, IaaS, SaaS) used to process FTI and will be discussed prior to any onsite review. The Office of Safeguards onsite review team will leverage the Cloud Computing SCSEM to assess many of the service provider security control implementations.
Use the FTI Cloud Notification Form to submit a 45 Day Notification to the Office of Safeguards.
Additional information can be obtained through the following resources:
- Publication 1075 Tax Information Security Guidelines for Federal, State, and Local Agencies Safeguards for Protecting Federal Tax Returns and Return Information (September 2016) (PDF)
- Federal Risk and Authorization Management Program (FedRAMP)
- NIST SP 800-125, Guide to Security for Full Virtualization Technologies, January 2011 (PDF)
- NIST SP 800-145, The NIST Definition of Cloud Computing, September 2011 (PDF)
- NIST SP 800-146, Cloud Computing Synopsis and Recommendations, May 2012 (PDF)
- NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing (PDF)
- Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing v3.0, 11/14/2011